b"                            SOCIAL SECURITY\n\n\nFebruary 28, 2005\n\nThe Honorable Adam Putnam\nChairman, Subcommittee on Technology, Information Policy,\n Intergovernmental Relations and the Census\nCommittee on Government Reform\nHouse of Representatives\nWashington, D.C. 20515\n\nDear Mr. Putnam:\n\nDuring testimony on September 22, 2004 before your Subcommittee, I discussed\nFederal agencies\xe2\x80\x99 use of Social Security numbers. As part of this discussion, I\nmentioned the 2003 President\xe2\x80\x99s Council on Integrity and Efficiency report, Federal\nAgencies\xe2\x80\x99 Controls over the Access, Disclosure and Use of Social Security Numbers by\nExternal Entities. Because of your continuing interest in the use and protection of\nSocial Security numbers, we conducted a follow-up review to determine the status of\ncorrective actions Federal agencies have taken to address recommendations resulting\nfrom this review. The enclosed report summarizes the results of our review.\n\nIf you have any questions or would like to be briefed on this issue, please call me or\nhave your staff contact H. Douglas Cunningham, Assistant Inspector General for\nCongressional and Intra-Governmental Liaison, at (202) 358-6319.\n\n                                                Sincerely,\n\n\n\n                                                S\n                                                Patrick P. O\xe2\x80\x99Carroll, Jr.\n                                                Inspector General\n\nEnclosure\n\ncc:\nJo Anne B. Barnhart\n\n\n\n\n            SOCIAL SECURITY ADMINISTRATION          BALTIMORE MD 21235-0001\n\x0c  CONGRESSIONAL RESPONSE\n         REPORT\n\nFollow-up of Federal Agencies\xe2\x80\x99 Controls\n over the Access, Disclosure, and Use of\n  Social Security Numbers by External\n                 Entities\n\n              A-08-05-25101\n\n\n\n\n              February 2005\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n      \xc2\x81 Conduct and supervise independent and objective audits and\n      investigations relating to agency programs and operations.\n      \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n      \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n      operations.\n      \xc2\x81 Review and make recommendations regarding existing and proposed\n      legislation and regulations relating to agency programs and operations.\n      \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n      problems in agency programs and operations.\n\n      To ensure objectivity, the IG Act empowers the IG with:\n\n      \xc2\x81 Independence to determine what reviews to perform.\n      \xc2\x81 Access to all information necessary for the reviews.\n      \xc2\x81 Authority to publish findings and recommendations based on the\n      reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration's programs, operations, and management and in\nour own office.\n\x0c                                                                          Background\nOBJECTIVE\n\nDuring testimony on September 22, 2004 before the House Committee on Government\nReform, Subcommittee on Technology, Information Policy, Intergovernmental Relations\nand the Census, we discussed Federal agencies\xe2\x80\x99 use of Social Security numbers\n(SSN). As part of the discussion, the Acting Inspector General mentioned the\n2003 President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE) report, Federal Agencies\xe2\x80\x99\nControls over the Access, Disclosure and Use of Social Security Numbers by External\nEntities. Because of continuing interest in the use and protection of SSNs, we\nconducted a follow-up review to determine the status of corrective actions Federal\nagencies have taken to address recommendations resulting from this review.\n\nBACKGROUND AND GENERAL DESCRIPTION\n\nThe SSN was created in 1936 as a means of establishing and maintaining workers\xe2\x80\x99\nearnings and eligibility for Social Security benefits. However, over the years, the SSN\nhas become a de facto national identifier used by Federal agencies, State and local\ngovernments, and private organizations.\n\nAlthough no single Federal law regulates the overall use and disclosure of SSNs by\nFederal agencies, the Freedom of Information Act of 1966, the Privacy Act of 1974, and\nthe Social Security Act Amendments of 1990 generally govern disclosure and use of\nSSNs (see Appendix A). In addition, a number of Federal laws lay out a framework for\nFederal agencies to follow when they establish information security programs that\nprotect sensitive personal information, such as SSNs.1\n\nThe expanded use of the SSN as a national identifier provides a tempting means for\nmany unscrupulous individuals to acquire an SSN and use it for illegal purposes. While\nno one can fully prevent SSN misuse, Federal agencies have some responsibility to\nlimit the risk of unauthorized disclosure of SSNs. Because of concerns related to\nsharing of personal information and occurrences of identity theft, in 2002, Congress\nasked that we look at how Federal agencies disseminate and control the use of SSNs.\nAfter consulting with the PCIE, we agreed to serve as lead for 15 participating Offices of\nInspector General (OIG) and prepare the final report (see Appendix B). Most OIGs\nissued reports to their respective departments or agencies that included\nrecommendations for corrective actions. Each OIG focused its work on one program\n\n\n1\n  See National Defense Authorization Act for Fiscal Year 2001, Pub. L. No. 106-398, \xc2\xa7 1061, 114 Stat.\n1654 (2000); National Defense Authorization Act for Fiscal Year 1996, Pub. L. No. 104-106, \xc2\xa7 2(a)(4) and\n(5), 110 Stat. 186 (1996); the Paperwork Reduction Act of 1995, Pub. L. No. 104-13, 109 Stat.\n163 (1995); the Computer Security Act of 1987, Pub. L. No. 100-235, 101 Stat. 1724 (1988). See also\nOffice of Management and Budget Circular A-130, Management of Federal Information Resources\n(November 28, 2000).\n\nFollow-up of Federal Agencies\xe2\x80\x99 Controls over the Access, Disclosure, and Use of SSNs\nby External Entities (A-08-05-25101)                                                                   1\n\x0cwithin its respective agency.2 As such, we concluded that any findings should not be\nextrapolated to all programs in each agency. See Appendix C for the specific program\neach OIG reviewed.\n\nThis report serves as a follow up to the 2003 PCIE report, Federal Agencies\xe2\x80\x99 Controls\nover the Access, Disclosure and Use of Social Security Numbers by External Entities.\nIn performing this review, we requested that each OIG provide us the status of\ncorrective actions taken by their respective agency to address recommendations\nresulting from the previous review. We did not request that each OIG determine\nwhether their respective agency was still at-risk for improper access, disclosure and use\nof SSNs by external entities. As such, this report provides examples of some corrective\nactions taken by Federal agencies and does not address whether the agencies have\nadequate SSN controls. We conducted our review in accordance with the PCIE\xe2\x80\x99s\nQuality Standards for Inspections.\n\n\n\n\n2\n    The Department of Defense assessed SSN controls for three programs.\n\nFollow-up of Federal Agencies\xe2\x80\x99 Controls over the Access, Disclosure, and Use of SSNs\nby External Entities (A-08-05-25101)                                                    2\n\x0c                                                          Results of Review\nIn 2003, most OIGs reported their respective agencies had inadequate controls over the\naccess, disclosure and use of SSNs by external entities. Of the 15 agencies reviewed,\n\n\xe2\x80\xa2   14 lacked adequate controls over contractors\xe2\x80\x99 access to, and use of, SSNs;\n\n\xe2\x80\xa2   9 had inadequate controls over the access to SSNs maintained in their computer\n    systems;\n\n\xe2\x80\xa2   2 did not have adequate controls over non-Government and/or non-contractor\n    entities\xe2\x80\x99 access to, and use of, SSNs; and\n\n\xe2\x80\xa2   1 did not make legal and informed SSN disclosures.\n\nWe concluded that Federal agencies would benefit by strengthening some of their\ncontrols over the access, disclosure and use of SSNs by external entities. We are\nencouraged to learn that all 15 Federal agencies have taken corrective actions to\nstrengthen some of their SSN controls.\n\nCONTRACTORS\xe2\x80\x99 ACCESS TO, AND USE OF, SSNs\n\nFederal agencies incorporate different practices to ensure they have appropriate\ncontrols over contractor access to, and use of, SSNs. These include, but are not limited\nto, passwords and computer identifications; access to information on a need-to-know\nbasis; periodic review of current computer users; staff and contractor confidentiality\nagreements; security awareness training; and secure work areas. Despite these\nsafeguard requirements, 14 (93 percent) of 15 OIGs previously reported their respective\nagency had inadequate controls over contractors\xe2\x80\x99 access to, and use of, SSNs (see\nAppendix C).\n\nAs illustrated in the following examples, all of the 14 Federal agencies have taken some\nactions to address the vulnerabilities identified.3\n\n\xe2\x80\xa2   Eight OIGs reported their agencies performed site inspections to ensure contractors\n    upheld their obligation to protect the confidentiality and security of SSNs.\n\n\xe2\x80\xa2   Four OIGs reported their respective agencies provided employees and contracting\n    officers security awareness and/or Privacy Act training.\n\n\xe2\x80\xa2   One OIG reported its agency added audit steps for selected reviews to test\n    contractors\xe2\x80\x99 procedures for safeguarding individuals\xe2\x80\x99 personal identifying\n    information, such as SSNs.\n3\n Because some OIGs reported their agencies have taken multiple corrective actions, the number of\nexamples exceeds the number of Federal agencies.\n\nFollow-up of Federal Agencies\xe2\x80\x99 Controls over the Access, Disclosure, and Use of SSNs\nby External Entities (A-08-05-25101)                                                               3\n\x0c\xe2\x80\xa2   Another OIG reported its agency reviewed contractors\xe2\x80\x99 security plans and includes\n    non-agency employees who have access to agency computer systems in its annual\n    security audit.\n\n\xe2\x80\xa2   Another OIG reported its agency requires that new employees and contractors\n    complete an Information Technology Access Request Form to gain access to the\n    agency\xe2\x80\x99s mainframe. This agency also established controls to ensure it deletes\n    contractors\xe2\x80\x99 systems access after they leave the agency.\n\nACCESS TO INDIVIDUALS\xe2\x80\x99 SSNs MAINTAINED IN AGENCY DATABASES\n\nIn the 2003 review, Federal agencies that allowed access to their databases generally\nhad standard information security controls in place. Agency controls included, but were\nnot limited to, security clearances before granting computer access, computer access\ncontrolled by job title, unique user identification and passwords, firewalls, encrypted\ndata transportation, intrusion detection systems, and physical access controls. Despite\nthese safeguards, 9 (60 percent) of 15 OIGs reported their respective agencies had\ninadequate controls over access to SSNs maintained in their databases. Because of\nthe sensitive nature of information security issues, we chose to withhold detailed\ndescriptions of information security control weaknesses identified by OIGs (see\nAppendix C).\n\nAs illustrated in the following examples, all of the nine Federal agencies have taken\nactions to address these control weaknesses.\n\n\xe2\x80\xa2   One OIG reported its agency instructs all system users to ensure contractors are\n    aware of agency policies and procedures and Federal laws prohibiting the disclosure\n    of SSN information. This agency removes the system user\xe2\x80\x99s access upon receipt of\n    the user\xe2\x80\x99s termination letter and requires that each system user have security\n    clearance at a level commensurate with their duties.\n\n\xe2\x80\xa2   Another OIG reported its agency revised its computer access forms to identify the\n    user\xe2\x80\x99s security level and access needs. All of the agency\xe2\x80\x99s forms include the\n    statement, \xe2\x80\x9cAny screen or printout displaying names and SSNs contains confidential\n    information that must be secure.\xe2\x80\x9d\n\nNON-GOVERNMENT/NON-CONTRACTOR ENTITIES\xe2\x80\x99 ACCESS TO, AND USE OF,\nSSNs\n\nIn the 2003 review, 2 (13 percent) of 15 OIGs reported their agencies did not have\nadequate controls over non-Government/non-contractor entities\xe2\x80\x99 access to, and use of,\nSSNs. One OIG reported its agency had no standard contract language to include\nPrivacy Act safeguards. Another OIG reported its agency had not established financial\nstandards for outside parties to meet before accessing data containing SSN information\n(see Appendix C).\n\n\n\nFollow-up of Federal Agencies\xe2\x80\x99 Controls over the Access, Disclosure, and Use of SSNs\nby External Entities (A-08-05-25101)                                                    4\n\x0cAs illustrated in the following examples, these Federal agencies have taken some\nactions to address the vulnerabilities identified.\n\n\xe2\x80\xa2   One OIG reported its agency established standards for safeguarding SSNs. In\n    addition, the agency incorporated security features into all phases of its information\n    technology acquisition process and established security requirements for third\n    parties who wish to contract with the agency to provide automated data processing\n    services.\n\n\xe2\x80\xa2   The other OIG reported its agency developed a cover letter that it sends to\n    independent physicians encouraging them to comply with the principles of the\n    Privacy Act.\n\nDISCLOSURES OF SSNs TO EXTERNAL ENTITIES\n\nIn the 2003 review, 1 (7 percent) of 15 OIGs reported its agency did not make legal and\ninformed SSN disclosures (see Appendix C). This OIG identified instances in which the\nagency did not inform research study participants that providing their SSNs was\nvoluntary. This OIG recommended that its agency establish guidelines to ensure\nconfidentiality of SSNs. The agency revised a staff manual that addresses handling\nprivate information, such as SSNs. The manual states that all contractors are\nresponsible for strictly adhering to the procedures established in agency guidelines. It\nalso requires that management conduct periodic inspections of contractor sites and that\nall contract employees sign an agreement for the protection of private information.\n\nAlthough the 14 remaining OIGs reported their agencies generally made legal and\ninformed SSN disclosures,4 they identified instances in which agency practices\nincreased the risk that external entities may have improperly obtained and misused\nSSNs. One OIG identified instances in which its agency unnecessarily displayed SSNs\non documents it sent to external entities that may not have had a need to know.\nAnother OIG identified instances in which its agency inadvertently omitted the Privacy\nAct notice on one of its forms. The following examples illustrate some of the corrective\nactions taken by Federal agencies.\n\n\xe2\x80\xa2   One OIG reported its agency established new policies to limit the display of SSNs on\n    correspondence.\n\n\xe2\x80\xa2   Another OIG reported its agency revised one of its forms to include the Privacy Act\n    notice.\n\n\n\n\n4\n For purposes of this report, we consider SSN disclosure to have occurred when an agency provides an\nSSN to an external entity that did not already have it.\n\nFollow-up of Federal Agencies\xe2\x80\x99 Controls over the Access, Disclosure, and Use of SSNs\nby External Entities (A-08-05-25101)                                                                   5\n\x0c                                                                         Conclusions\nWe previously reported that some Federal agencies were at-risk for improper access,\ndisclosure and use of SSNs by external entities, despite safeguards to prevent such\nactivity. As such, we concluded that Federal agencies would benefit by strengthening\nsome of their SSN controls. We are encouraged that all OIGs reported their respective\nagencies have taken some corrective actions to strengthen controls over the access,\ndisclosure and use of SSNs by external entities. Given the potential for individuals to\nimproperly obtain and misuse SSNs, we encourage Federal agencies to continue their\nefforts to safeguard SSNs.\n\n\n\n\nFollow-up of Federal Agencies\xe2\x80\x99 Controls over the Access, Disclosure, and Use of SSNs\nby External Entities (A-08-05-25101)                                                      6\n\x0c                                                Appendices\nAPPENDIX A \xe2\x80\x93 Federal Laws that Restrict Disclosure of the Social Security Number\nAPPENDIX B \xe2\x80\x93 Participating Offices of Inspector General\nAPPENDIX C \xe2\x80\x93 Summary of Inadequate Controls Identified by Offices of Inspector\n             General\n\n\n\n\nFollow-up of Federal Agencies\xe2\x80\x99 Controls Over the Access, Disclosure, and Use of SSNs\nby External Entities (A-08-05-25101)\n\x0c                                                                                  Appendix A\n\nFederal Laws that Restrict Disclosure of the\nSocial Security Number\nThe following Federal laws establish a framework for restricting Social Security number\n(SSN) disclosure.1\n\nThe Freedom of Information Act of 1966 (5 U.S.C. \xc2\xa7 552)\n\nThe Freedom of Information Act (FOIA) establishes a presumption that records in the\npossession of Executive Branch agencies and departments are accessible to the\npeople. FOIA, as amended, provides that the public has a right of access to Federal\nagency records, except for those records that are protected from disclosure by nine\nstated exemptions. One of these exemptions allows the Government to withhold\ninformation about individuals in personnel and medical files and similar files when the\ndisclosure would constitute a clearly unwarranted invasion of personal privacy.\nAccording to Department of Justice guidance, agencies should withhold SSNs under\nthis FOIA exemption. This statute does not apply to State and local governments.\n\nThe Privacy Act of 1974 (5 U.S.C. \xc2\xa7 552a)\n\nThe Privacy Act regulates Federal agencies\xe2\x80\x99 collection, maintenance, use and\ndisclosure of personal information maintained by agencies in a system of records. The\nAct prohibits the disclosure of any record contained in a system of records unless the\ndisclosure is made based on a written request or prior written consent of the person to\nwhom the records pertain, or is otherwise authorized by law. The Act authorizes\n12 exceptions under which an agency may disclose information in its records.\n\nThe Act contains a number of additional provisions that restrict Federal agencies\xe2\x80\x99 use of\npersonal information. For example, an agency must maintain in its records only such\ninformation about an individual as is relevant and necessary to accomplish a purpose\nrequired by statute or Executive Order of the President, and the agency must collect\ninformation to the greatest extent practicable directly from the individual when the\ninformation may result in an adverse determination about an individual\xe2\x80\x99s rights, benefits\nand privileges under Federal programs.\n\n\n\n\n1\n Summarized from Social Security Numbers: Government Benefits from SSN Use but Could Provide\nBetter Safeguards (GAO-02-352, May 2002).\n\nFollow-up of Federal Agencies\xe2\x80\x99 Controls Over the Access, Disclosure, and Use of SSNs\nby External Entities (A-08-05-25101)                                                           A-1\n\x0cThe Social Security Act Amendments of 1990 (42 U.S.C. \xc2\xa7 405(c)(2)(C)(viii))2\n\nThe Social Security Act bars disclosure by Federal, State and local governments of\nSSNs collected pursuant to laws enacted on or after October 1, 1990. This provision of\nthe Act also contains criminal penalties for \xe2\x80\x9cunauthorized willful disclosures\xe2\x80\x9d of SSNs.\nBecause the Act specifically cites willful disclosures, careless behavior or inadequate\nsafeguards may not be subject to criminal prosecution. Moreover, applicability of the\nprovision is further limited in many instances because it only applies to disclosure of\nSSNs collected in accordance with laws enacted on or after October 1, 1990. For SSNs\ncollected by Federal entities pursuant to laws enacted before October 1, 1990, this\nprovision does not apply and therefore, would not restrict disclosing the SSN. Finally,\nbecause the provision applies to disclosure of SSNs collected pursuant to laws requiring\nSSNs, it is not clear if the provision also applies to disclosure of SSNs collected without\na statutory requirement to do so. This provision applies to Federal, State and local\ngovernmental agencies; however, the applicability to courts is not clearly spelled out in\nthe law.\n\n\n\n\n2\n    Pub. L. No. 101-624, \xc2\xa72201, 104 Stat. 3359, 3951 (1990).\n\nFollow-up of Federal Agencies\xe2\x80\x99 Controls Over the Access, Disclosure, and Use of SSNs\nby External Entities (A-08-05-25101)                                                    A-2\n\x0c                                                    Appendix B\n\nParticipating Offices of Inspector General\nDepartment of Agriculture\n\nDepartment of Defense\n\nDepartment of Education\n\nDepartment of Health and Human Services\n\nDepartment of Housing and Urban Development\n\nDepartment of Labor\n\nDepartment of the Treasury\n\nEnvironmental Protection Agency\n\nFederal Deposit Insurance Corporation\n\nNuclear Regulatory Commission\n\nOffice of Personnel Management\n\nRailroad Retirement Board\n\nSmall Business Administration\n\nSocial Security Administration\n\nTreasury Inspector General for Tax Administration\n\x0c                                                                                                                            Appendix C\n\nSummary of Inadequate Controls Identified\nby Offices of Inspector General (OIG)\n\n                                                                     INADEQUATE CONTROLS IDENTIFIED BY OIGs\n    Federal Agency\n    and Program(s) Reviewed                                                                                                    Legal and\n                                                                                      Access to SSNs     Non-Government/        Informed\n                                                                 Contractor            Maintained in      Non-contractor      Disclosure of\n                                                              Access and Use of          Agency           Access and Use     SSNs to External\n                                                                   SSNs                 Databases            of SSNs             Entities\n\n    Department of Agriculture: Food Stamp Program                      X1                  X1\n    Department of Defense: Defense Manpower Data\n    Center; Army and Air Force Exchange Service,                       X2                  X3\n    and Defense Security Service\n\n    Department of Education: Pell Grant Program                        X                    X\n    Department of Health and Human Services: Food                      X                                                             X\n    and Drug Administration\n\n    Department of Housing and Urban Development:                       X\n    Office of Housing\n\n\n\n1\n    Inadequate controls identified at the State/local levels of the Food Stamp Program.\n2\n    Inadequate controls over contractor access and use of SSNs identified in the following Department of Defense agencies: Army and Air Force\n     Exchange Service and Defense Security Service.\n3\n    Inadequate controls over access to SSNs maintained in its databases identified at the Defense Manpower Data Center.\n\n\nFollow-up of Federal Agencies\xe2\x80\x99 Controls Over the Access, Disclosure, and Use of SSNs by External Entities (A-08-05-25101)                C-1\n\x0c                                                                          Inadequate Controls Identified by OIGs\n\n Federal Agency                                                                                                               Legal and\n and Program(s) Reviewed                                                            Access to SSNs       Non-Government/       Informed\n                                                               Contractor            Maintained in        Non-contractor     Disclosure of\n                                                            Access and Use of          Agency             Access and Use    SSNs to External\n                                                                 SSNs                 Databases              of SSNs            Entities\n\n Department of Labor: Federal Employee                               X                                           X\n Compensation Act Program\n\n Department of the Treasury: Financial                               X                      X\n Management Service\n\n Environmental Protection Agency: Financial\n Management and Financial Services Divisions\n\n Federal Deposit Insurance Corporation                               X                                           X\n Nuclear Regulatory Commission                                       X                      X\n Office of Personnel Management: Retirement and\n Insurance Service, Office of Merit Systems                          X                      X\n Oversight and Effectiveness, and Investigations\n Service\n\n Railroad Retirement Board                                           X                      X\n Small Business Administration                                       X\n Social Security Administration: Title II Program                    X                      X\n Treasury Inspector General for Tax                                  X                      X\n Administration: Internal Revenue Service\n                        TOTALS                                       14                     9                     2                1\n\n\n\nFollow-up of Federal Agencies\xe2\x80\x99 Controls Over the Access, Disclosure, and Use of SSNs by External Entities (A-08-05-25101)              C-2\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\nHouse of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"